Privacy Policy - Eurocommercial Properties N.V.

EUROCOMMERCIAL PRIVACY POLICY

 

I. GENERAL INTRODUCTION – DATA PROTECTION GOVERNANCE

 

On 25 May 2018 a new European privacy law - the General Data Protection Regulation (GDPR) - will come into force.

 

Privacy and the protection of personal data are fundamental rights and Eurocommercial is dedicated to respecting this and to observing the rules set out by European and national law.

 

Eurocommercial has created this Privacy Policy to:

  • Explain the requirements of GDPR, and how this applies to its daily business.
  • Outline Eurocommercial’s data governance model
  • Offer guidance to employees on how to implement this policy in accordance with the GDPR.

 

What is privacy and data protection and why is it important?
Privacy and data protection are (almost) the same and refer to the right of an individual (“the data subject”) to have control over the way their personal data is used. Personal data is information about an identified or identifiable individual. Example of personal data are name, email address and telephone number, but also IP-address, social security number, photographs, video recordings etc. This document often uses the word “processing” to mean any use of personal data, such as recording, sharing, deleting, copying, etc.

 

People are generally very concerned about their privacy. Any unfair or unlawful processing of personal data generates a lot of public outrage and bad publicity. Our employees, tenants, customers and visitors of shopping centres, therefore, need to know that their personal data is handled correctly when they deal with Eurocommercial. Secondly, violations of data protection laws are subject to large fines. In the Netherlands, the Data Protection Authority can impose a fine of up to € 820,000 or 10% of annual turnover. This is why proper data protection is important.

 

Roles in data protection law
Data protection law distinguishes between three important roles. This document will refer to the data controller and data processor. The data controller is the entity which – by itself or together with others – determines the means and purposes for the data processing. For example, Eurocommercial – as an employer – is the data controller when it comes to the processing of its employees’ personal data. The data processor is the entity which processes personal data on behalf of the data controller(s). The data processor is usually a supplier of the data controller, such as the party who takes care of payroll management.

Finally, the third important role is the individual whose personal data is processed. This individual is called the data subject.

 

II.  EUROCOMMERCIAL MODEL OF DATA PROTECTION GOVERNANCE

Eurocommercial must comply with applicable data protection legislation in the countries where data processing takes place in the context of its activities. Eurocommercial N.V. in the Netherlands will qualify as the data controller under Dutch data protection law. Local establishments in Belgium, France, Italy and Sweden may qualify as data controllers under their local data protection legislation. All data controllers will abide by and comply with local data protection law and the Eurocommercial Privacy Policy.

 

In order to embed data protection in the corporate structure and ensure data protection compliance, Eurocommercial has set up its Data Protection Governance Model, based on three lines of defence:

  1. First line of compliance: Operational (country) directors are responsible for compliance with the Eurocommercial Privacy Policy of their staff members. They will instruct their staff members to comply with the Eurocommercial Privacy Policy. Furthermore, they will identify, assess, control and mitigate risks and ensure data processing is compliant with this policy. If the risk turns out to be high, the operational (country) director will refer the matter to the second line of compliance.
     
  2. Second line of compliance: A Data Protection Officer (DPO) will monitor overall compliance with the Eurocommercial Privacy Policy. The DPO will inform and advise operational (country) directors and the Board of Management on data protection compliance, data protection impact assessments and will act as the point of contact for the supervisory authority. The DPO will keep a register of all data processing activities within Eurocommercial. The DPO will directly report to the Board of Management.
     
  3. Third line of compliance: The audit committee of the Supervisory Board? will evaluate, test and report on compliance with the privacy policy during regular activities.

 

III. TEN BASIC DATA PROTECTION RULES FOR EUROCOMMERCIAL EMPLOYEES

All members of the Eurocommercial organization, are expected to be aware of and comply with applicable laws.


What are the most important data protection rules?
Data protection law is based on the following basic rules. Please see further down for a short explanation of these rules.

  1. Personal data may only be collected for well-defined purposes.
  2. Personal data may not be processed in a way that is incompatible with the purposes for which the personal data was originally collected.
  3. Personal data may only be processed after obtaining consent or, if necessary, for:
    1. compliance with a legal obligation
    2. execution of a contract with the data subject or to take pre-contractual measures taken in response to the data subjects’ request
    3. the legitimate interests of Eurocommercial or a third party to whom the  data are disclosed.
  4. Data processing and data retention must be limited to what is necessary to complete the purposes for which the personal data are processed (data minimization).
  5. Personal data must be protected by confidentiality and technical and organizational security measures.
  6. If a service provider processes personal data on our behalf, Eurocommercial is required to execute a data processing agreement with this party.
  7. Eurocommercial is prohibited from processing special categories of personal data (‘sensitive personal data’), unless the law provides a specific exemption. Sensitive data is information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health, sex life, criminal offences or convictions.
  8. Eurocommercial should inform the data subject about how their personal data is processed, by disclosing: the identity of the data controller (Eurocommercial), the purposes for the processing, the categories of personal data and any additional information which may be important for the data subject.
  9. Eurocommercial should respect the rights of data subjects to have access to their personal data as well as the right to correct, delete or object to the processing of their data.
  10. Eurocommercial is only allowed to transfer personal data to countries outside the European Economic Area (European Union plus Iceland, Liechtenstein and Norway) under certain strict conditions, for example by executing a special model agreement and/or obtaining approval from the data protection authority.

 

The ten basic rules explained

1. Personal data may only be collected for well-defined purposes.
Personal data is always collected for a specified, explicit and legitimate purpose. These purposes are determined before the processing starts and may not be altered later. A “purpose” is the reason for which Eurocommercial will use the personal data. For example, a Eurocommercial shopping center collects email addresses of shoppers to send its marketing newsletter. Another example is that Eurocommercial processes the bank details of its employees to pay salary every month. The description of the purpose should always be specific enough to enable Eurocommercial to determine whether the processing carried out to achieve this purpose is necessary.

 

2. Personal data may not be processed in a way that is incompatible with the purpose for which the personal data was collected originally.
Once Eurocommercial has decided to collect data for a specific purpose, it may not further process those data for any reason which is incompatible with that original purpose. For example, if a Eurocommercial shopping center collected email addresses to send its marketing newsletter, those same addresses may not be sold to a third party.

 

3. Personal data may only be processed after obtaining consent or if necessary for:
     a. compliance with a legal obligation;
     b. execution of a contract with the data subject, or to take pre-contractual
     measures taken in response to the data subject’s request:
     c. the legitimate interests of Eurocommercial or a third party to whom the data
     are disclosed.

After determining the purpose of the processing, it is important to determine whether a justification for processing exists. Obtaining consents is only one example of a justification and should be avoided, if another justification is available.

 

Consent. Consent should be freely given, specific and informed. Freely given means that the data subject should not feel pressured to give their consent. For this reason, an employee cannot give valid consent to his employer for the processing of their personal data, as the employee is (generally) not free to refuse. Specific means that the consent should relate to specific purposes and must never be a general authorization to process personal data. Informed means that the data subject understands the scope and risks of the processing before giving consent. Note that consent for children younger than sixteen years old must be given by the legal guardian. Consent can always be revoked at any time and, consequently, the processing must cease immediately.

 

Compliance with a legal obligation. Eurocommercial may be subject to a statutory (non-contractual) obligation or a judicial order which justifies the processing of personal data. For example, several tax laws require the company to process financial data. Law enforcement may request camera footage to investigate a shoplifter. A court may also force Eurocommercial to disclose certain information. In those cases, Eurocommercial is required – and, therefore, permitted – to process personal data. The processing must be strictly necessary for compliance with such an obligation.

 

Pre-contractual measures. Eurocommercial will have to perform data processing to determine whether it wants to conclude an agreement. For example, if a person applies for a job.

 

Execution of a contract with the data subject
Eurocommercial may have to process personal data to comply with a contract, but only if the data subject is a party to the agreement. For example, Eurocommercial must process employee data in order to perform the employment agreement. The processing must be strictly necessary for the performance of the contract.

 

Legitimate interests of Eurocommercial or a third party to whom the data are disclosed
This justification for data processing is the broadest and can, therefore, be very useful. Eurocommercial may have a legitimate interest in performing data processing. However, this interest must be balanced against the rights and freedoms, including the right to data protection, of the data subject. If this balancing test weighs in favor of Eurocommercial, the processing may proceed. If not, the processing is not allowed. This balancing test can be influenced by taking additional safeguards to minimize the impact of the processing on the data subject.

 

The legitimate interest ground is best understood using an example. Eurocommercial has a legitimate interest to ensure the safety of visitors to its shopping centers. Eurocommercial, therefore, decides to place security cameras. However, these cameras constantly record the movements of visitors, who have a right not to be subject to excessive surveillance. Eurocommercial decides to store the recordings securely so that only the manager and security guards have access to the materials. Moreover, the images are retained for a restricted period of time. The cameras are placed in such a way that only the inside of the shopping center is captured, not the street outside. Finally, Eurocommercial places signs at every entrance alerting visitors to the presence of security cameras. Under those circumstances, Eurocommercial has a legitimate interest in using the cameras which is not outweighed by the interest of the data subjects.

 

4. Data processing and data retention must be limited to what is necessary to complete the purposes for which the personal data is processed (data minimization).

 

For example, if the purpose of the processing is to verify the identity of an individual, Eurocommercial could make a scan of the passport or driver’s license. However, it would be sufficient to simply do a visual inspection of the passport, without making a copy. In that way, data processing is limited to what is strictly necessary.

 

Data processing should not only be limited in scope, but also in time. Once the purpose for the data processing has been completed, the data should be deleted. For example, when an employee leaves the company, there is no more reason to keep track of the days that she was on sick leave. On the other hand, Eurocommercial needs to retain documents which are important to comply with local applicable law, e.g. tax law.

 

5. Personal data must be protected by confidentiality and technical and organizational security measures.

 

Eurocommercial has an obligation to keep any personal data confidential and to ensure that its employees are bound by confidentiality.
First, Eurocommercial has an obligation to take appropriate technical and organizational security measures to protect personal data against accidental and unlawful destruction or unauthorized processing. Technical measures may include back-ups, encryption, password-protection, using firewalls or locking rooms with sensitive documents or systems. Organizational security measures include written data protection policies (such as this document), awareness training or regular audits.

 

Secondly, Eurocommercial under applicable law may have an obligation to notify ‘data breaches’ both to the competent Data Processing Authority and data subjects involved. Further information can be obtained via the Data Breach Notification Protocol.

 

6. If a service provider processes personal data on its behalf, Eurocommercial, is required to execute a data processing agreement with this party.

Such a data processing agreement should at least include the following provisions:

  • The data processor will only process personal data on behalf – and in accordance with the instructions – of Eurocommercial. The data processor will not process the data for its own purpose.
  • The data processor will ensure that its employees are contractually bound to confidentiality.
  • The data processor will implement appropriate technical and organizational security measures.
  • (Recommended.) The data processor will immediately alert Eurocommercial if it discovers a data breach.
    The template data processor agreement – solely to be used for a data processor located in the European Economic Area (EU, Norway, Iceland, Liechtenstein) is available via the Eurocommercial Data Protection Officer (privacy@ecpnv.com).

 

7. Eurocommercial is prohibited from processing special categories of personal data ‘sensitive personal data’, unless the law provides a specific exemption. Sensitive data is information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health, sex life, criminal offences or convictions.

Sensitive data may only be processed in exceptional circumstances. There are a few cases where Eurocommercial will be forced to process sensitive data:

  • Eurocommercial is likely to process health data for its employees, for example in the case when an employee is absent due to maternity leave. The fact that an employee is pregnant qualifies as health data. Alternatively, if an employee requires special facilities for health reasons, e.g. a special chair or wheelchair access;
  • Eurocommercial may also process information revealing race or religion, as photos will often provide information about a person’s race and – in some cases – their religious beliefs;
  • Eurocommercial may also process information about a person’s criminal behavior using security cameras.

 

In any other circumstance, it is unlikely that Eurocommercial would need to process sensitive personal data. There are a great deal of general and specific exceptions under local applicable law available to Eurocommercial depending on the circumstances. In a case where you expect to process sensitive personal data please contact the Data Protection Officer to assist in determining whether an exemption applies.

 

8. Eurocommercial should inform the data subject about how their personal data is processed, by disclosing: the identity of the data controller (which Eurocommercial entity), the purposes for the processing, the categories of personal data and any additional information which may be important for the data subject.

 

Every act of data processing should come with a privacy statement which explains the data processing to the data subject. This is especially important if the processing is based on consent. Eurocommercial will provide the following information.

  • the identity of the controller;
  • the purposes of the processing;
  • the categories of data concerned;
  • the recipients or categories of recipients of the data;
  • the source of the data;
  • any further information necessary to ensure that the data subject is adequately informed, in light of the specific circumstances of the data processing.

 

This information can be provided in several ways: on paper, on the website, in the or even on a sign (in the case of security cameras).

 

It is important that the information is provided to the data subject before their data is processed. This generally means when the data subject provides the personal data.

 

9. Eurocommercial should respect the rights of data subjects to have access to their personal data as well as the right to correct, delete and object to the processing of their data.

 

Data subjects have the right to access to their personal data held by Eurocommercial and to request the rectification, removal or blocking of data if the processing does not comply with the rules. Furthermore, data subjects may object to the processing of their personal data. Eurocommercial will respond, to any such request by a data subject within one month.

 

10. Eurocommercial is only allowed to transfer personal data to countries outside the European Economic Area (European Union plus Iceland, Liechtenstein and Norway) under certain strict conditions, for example by executing a special model agreement and/or obtaining approval from the data protection authority.

 

Not all countries have the same high level of data protection as those applied to countries within the European Union/European Economic Area (EEA). Transferring personal data to “third countries”, such as the United States, could result in a significant drop in privacy for the data subject. Therefore, the transfer of personal data to those third parties is subject to strict rules. These rules are intended to ensure an adequate level of protection. Note that these rules also apply if you transfer the data to a data processor in a third country.

 

There are a few ways to transfer personal data to third countries:

  • Some third countries (e.g. Switzerland, Israel, Argentina, Uruguay) have such a high level of data protection that the European Commission has decided that transfers to these countries are allowed without further action or authorization from the DPA.
  • The European Commission has approved three sets of model contract clauses (often called “Model Clauses”) which ensure an adequate level of protection for data transfer between two specific parties. Such contracts are always concluded between a data exporter in the EEA (who is a data controller) and the data importer outside the EEA (who can also be a data controller or a data processor). Note, many EU countries do require the data controller to notify the transfer or request authorization.
    • The data transfer can be justified in certain circumstances. Many countries require the data controller to notify or obtain authorization for such a data transfer. The data subject consents to the transfer. The same requirements for consent apply. Again, this ground should be avoided if possible.
    • The transfer is necessary for the performance of an agreement with the data subject or to take pre-contractual measures in response to the data subject’s request.
    • The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between Eurocommercial and a third party.
  • Parties may also decide to use a custom arrangement which provides an adequate level of protection. Often such a custom arrangement is based on part of the Model Clauses. This type of arrangement will be subject to approval by the competent authority in almost any EU member state.


 

IV.  SPECIFIC CHAPTERS

 

Email marketing
Eurocommercial has a legitimate interest in conducting email marketing, if such marketing is conducted within the legal requirements. These requirements have been determined in EU law and implemented in local applicable law. In addition to the requirements set out below, please remember that email addresses are personal data and that all rules set out in Chapter II apply as well.
Background information

 

Rule of thumb for consumer marketing
Eurocommercial must obtain the prior consent from the recipient before sending them direct marketing messages.

 

Rule of thumb for business marketing
Eurocommercial must obtain the prior consent from the recipient before sending them direct marketing messages. With the exception that no prior consent is necessary:

  • If the recipient has clearly indicated an email address to be available for direct marketing messages; or
  • If the recipient is located outside the EEA and the requirements for unsolicited marketing messages in the destination country are complied with.

 

Exemption
If Eurocommercial obtains an email address in the context of a sale of goods or services, it may send direct marketing messages for its own, similar goods or services, provided that the customer was clearly and explicitly given the opportunity to opt out.

 

Obtaining consent
Consent should comply with the basic rules as set out in Chapter II. It should be specific, freely given and informed. It is, therefore, very important to communicate clearly what types of email messages will be sent, when asking for consent. E.g. will it be a newsletter, or will it be sporadic updates about changes to a shopping center or public events?


It is also important to ensure that Eurocommercial can later prove that it has received consent from the recipients. This is often done – both online and on paper – by showing that the person filled out the form which explicitly provides consent.
Sending messages
All direct marketing email messages should include:

  • a clear indication that the messages are of a commercial nature;
  • a clear and unambiguous statement of the nature and any applicable conditions for taking part in any offer, sweepstakes or contests;
  • the name of the entity on whose behalf the messages are sent;
  • the email address the recipient can contact to opt-out of further receipt.

 

Eurocommercial e-marketing policy
Eurocommercial will only send unsolicited e-marketing messages, including information about events at shopping centers, annual reports, press releases, sustainability reports, etc. provided the recipient registered beforehand and gave their prior consent to receiving such messages.

 

COOKIES
Cookies are small text files, stored on your computer as you browse the internet. Cookies are used to store simple information and can be used for a number of applications, such as to remember that you are a logged-in user or to maintain your shopping cart. Cookies can also be used to give a visitor a unique identification number, so that they can be recognized as they surf the internet. Cookies can follow a person as they surf the web, which can have a serious impact on their privacy. The European Union has imposed certain requirements for the use of cookies, which have been implemented in local applicable law. Eurocommercial should take the following rules into account when using cookies.

 

Background information

Rule of thumb
Eurocommercial may only cause cookies to be stored or read from the user’s computer after the user:

  • has been given clear and comprehensive information, including information about the purpose of the use of cookies;
  • is offered an opportunity to refuse the cookies;
  • has given their consent

Note that it is Eurocommercial’s responsibility to ensure that all cookies placed by third parties (e.g. Google, Analytics, Google DoubleClick etc.) through a Eurocommercial website are only placed after the user has given consent.

 

Exception
No consent is necessary for cookies with the sole purpose of carrying out or facilitating the transmission of a communication over the network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

 

Obtaining consent
Consent may be obtained lawfully in one of two ways. Explicitly, which requires the user to make an explicit selection before proceeding, or implicitly, which enables the user to indicate his consent by continuing to use the website. Both methods require that the user is informed about the scope of the data processing before making a decision. Note that explicit consent is always the safer choice, in terms of being able to prove that the user was aware of their decision to give consent.

 

Eurocommercial Cookie Policy
Eurocommercial will use the following template cookie statement to inform website visitors about the use of cookies and (where required) obtain their valid explicit consent for the use of such cookies. View the the policy here.

Eurocommercial Properties N.V. ("us", "we", or "our") uses cookies on eurocommercialproperties.com (the "Service"). By using the Service, you consent to the use of cookies.
Our Cookies Policy explains what cookies are, how we use cookies, how third-parties we may partner with may use cookies on the Service, your choices regarding cookies and further information about cookies.

 

What are cookies
Cookies are small pieces of text sent by your web browser by a website you visit. A cookie file is stored in your web browser and allows the Service or a third-party to recognize you and make your next visit easier and the Service more useful to you.
Cookies can be "persistent" or "session" cookies.

 

How Eurocommercial uses cookies
When you use and access our website, we may place a number of cookies files in your web browser.

We use cookies for the following purposes: to enable certain functions of the Service, to provide analytics, to store your preferences, to enable advertisements delivery, including behavioral advertising.
We use both session and persistent cookies on the Service and we use different types of cookies to run the Service.

 

Third-party cookies
In addition to our own cookies, we may also use various third-parties cookies to report usage statistics of the Service, improve the user experience of the Service, and so on.


What are your choices regarding cookies
If you'd like to delete cookies or instruct your web browser to delete or refuse cookies, please visit the help pages of your web browser.

Please note, however, that if you delete cookies or refuse to accept them, you might not be able to use all the features we offer, you may not be able to store your preferences, and some of our pages might not display properly.

 

CAMERA SURVEILLANCE

Camera surveillance is generally used as an effective way of keeping people and property safe, but it can have an impact on the privacy of those people subject to the surveillance. Though camera surveillance is not illegal, there are a number of restrictions that Eurocommercial should observe. Note that the below restrictions apply in addition to the rules set out in Chapter II.

 

Eurocommercial Camera Surveillance Policy

  • When using camera surveillance in a shopping center, make clear arrangements with tenants about who is responsible for surveillance in the shopping center common areas. Try to prevent overlapping surveillance, unless this is unavoidable.
  • Avoid camera surveillance of streets and other public areas which are not part of a Eurocommercial facility, unless this is unavoidable. In that case, make a clear arrangement with the police as to who is responsible for surveillance in which area.
  • It is illegal in many countries to perform video surveillance in secret. Use visible cameras with clearly visible notices whenever possible. Contact the Data Protection Officer if you consider (or by accident detect) the use of hidden video surveillance.
  • Determine what the retention term will be and make sure that the surveillance images will be kept for no longer than necessary to achieve the purposes.
  • Camera surveillance will be used for the following purposes only:
    • ‘protect the safety of individuals and goods’- for this purpose, surveillance images will be kept no longer than four weeks, or in case of a specific incident, for as long as necessary to deal with this incident;
    • ‘count the number of visitors of a shopping center’- for this purpose, the camera will be configured to blurr images of individuals and to merely count individuals – the images will not be kept for this purpose.
    • Contact the Data Protection Officer if you consider using camera surveillance for other purposes. Please note that many countries, including the Netherlands, place higher restrictions on the monitoring of employees (either by purpose or accidentally). Constant observation of employees through video surveillance is only allowed in very particular circumstances, where it is unavoidable and the interest in carrying out such surveillance outweighs the privacy rights of employees.

 

WI-FI TRACKING
Wi-Fi Tracking (WFT) involves the recording of the behavioral patterns of unique visitors on the basis of their mobile devices’ MAC-addresses. Because it involves the recording of unique MAC-addresses in combination with data regarding location, date and time, such information can be considered the processing of personal data. Information regarding location and an individual’s shopping habits can be considered very intrusive information. As such, the use of WFT should include a number of safeguards. These safeguards are in addition to the basic data protection rules, set out in Chapter II.

 

Eurocommercial WFT Policy

  • WFT should take place within the confines of the shopping center only. Passersby outside the shopping center should not be tracked.
  • WFT should only take place during those times that the shopping center is actually open.
  • WFT will be used for the following purposes only:
    • ‘count the number of visitors and their walking patterns within the shopping center’.
    • If you consider using WFT for other purposes, contact the Data Protection Officer.
  • Visitors should be adequately informed about the use of WFT, including the purposes of WFT, for example by posting signs at the entrance. In addition, visitors should be able to find information about WFT on the shopping center website.
  • The data obtained through WFT should only be recorded for a limited time and deleted, pseudonymized or anonymized as soon as possible.
  • Visitors should be offered an opt-out, if possible.
  • Eurocommercial should coordinate with the supplier of WFT equipment and services to ensure that the above safeguards – and other measures – are implemented properly.